The new Cyber Security Strategy consolidates current thinking, and will be a good basis for further strategic development on corporate governance and supply chains.
As the digital landscape continues to grow and become more sophisticated, so too does the threat of cyber security incidents. Any executive officer or board member is (or should be) aware of the growing threat of cyber security to their organisations, a threat that's been recognised by the latest version of the Australian Government's recently released Cyber Security Strategy.
It focuses on specific government responses, and developing joint efforts of government and the private sector, and the Government is backing this with more than $230 million over four years to deliver the initiatives under the Strategy (in addition to the $400 million boost to Defence cyber capabilities over 10 years flowing from the Defence White Paper).
While the Cyber Security Strategy is focused on mostly Government initiatives, and consolidates recent thinking, it also flags the importance of two areas for all organisations: corporate governance and control of supply chains. It will be these two critical areas that organisations should be looking at now, and that future versions of the Strategy should expand upon.
The Cyber Security Strategy: five themes
At the core of the Cyber Security Strategy is a recognition that the internet plays a critical role in modern business and government, and the cyber insecurity puts Australia's national security, economic prosperity and social wellbeing at risk. The Government's focus is to put Australia at the forefront of cyber security by building an army of cyber-savvy governments, businesses and users each with vital roles to play.
The Strategy outlines five themes of action to further strengthen Australia's cyber security:
- a national cyber partnership;
- strong cyber defence;
- global responsibility and influence;
- growth and innovation; and
- a cyber smart nation.
A National Cyber Partnership
To encourage a more strategic and co-ordinated approach to cyber security, there will be annual cyber security meetings of government and business leaders to implement and, where necessary, update the initiatives as cyber security issues evolve. A Minister Assisting the Prime Minister for cyber security will lead the Government’s work in this space. In addition, funding has also been dedicated to research which will inform investment and risk management decisions for cyber security.
Given the wide diversity of Government departments and agencies with varying responsibilities relating to cyber security, a new streamlined Government cyber security structure will be a welcome development by industry:
- The Department of the Prime Minister and Cabinet will remain the central point for policy issues.
- The Australian Cyber Security Centre, led by the Department of Defence and the Australian Signals Directorate, will drive the Government's operational cyber security capabilities. The ACSC will also move to a new facility to ensure a more integrated partnership with both the public and private sectors.
- A Cyber Ambassador will be appointed by the Minister of Foreign Affairs to lead Australia's international cyber effort.
A Special Adviser on Cyber Security, working closely with the Cyber Ambassador, will oversee the Government's new cyber security structure and ensure that governments, business, the research community and international partnerships are effectively managed.
Strong Cyber Defences
Enforcement and information-sharing
The Australian Cyber Security Centre will, along with other regulators, be resourced to fight the "rising tide of malicious cyber activity and keep our cyberspace safe".
Joint Cyber Threat Centres will be established in key capital cities to better detect, deter and respond to cyber threats, and allow governments, businesses and the research community to exchange sensitive cyber threat information. An online cyber sharing portal will allow organisations including small to medium sized businesses to access crucial information to support their operations in cyberspace.
National voluntary cyber security guidelines will be co-designed by governments, businesses and the research community. The voluntary guidelines will be based on the ASD's Strategies to Mitigate Targeted Cyber Intrusions and aligned to international standards. Voluntary cyber security governance health checks for ASX100 listed businesses will be developed to help organisations (public and private) to understand their cyber security maturity. Small businesses will be given the opportunity to have their cyber security tested by certified practitioners.
As Government networks remain an attractive target for malicious cyber activity the Strategy aims to improve the cyber security capability of agencies. This includes conducting independent assessments of compliance against the ASD's Strategies to Mitigate Targeted Cyber Intrusions. Guidance will also be developed to assist government agencies to address ICT supply chain risks.
Global responsibility and influence
Through an international engagement strategy the Government will step up efforts to work with its international partners and promote an open, free and secure internet. The Cyber Ambassador will also represent and advance Australia's interest on international cyber issues. Key activities in this area will include closing the digital and economic gap, and working with international law enforcement on cybercrime and terrorism.
Growth and innovation
One of the first initiatives announced under the Strategy was the Government's $30 million commitment to establish a Cyber Security Growth Centre, an independent, not-for-profit company which will identify and address industry needs, develop a strategic vision for Australia to become a global leader in the cyber security industry, and attract investment from multinationals. This includes, amongst other things:
- enhancing the visa system to attract the best talent and skills to Australia;
- investing $36 million over five years to improve Australia’s international innovation and science collaboration through the Global Innovation Strategy;
- supporting high-growth potential start-ups by providing concessional tax treatment for investors; and
- supporting commercialisation of research through early stage innovation funds.
A Cyber Smart Nation
Australia's skills shortage of cyber professionals will be addressed by greater emphasis on cyber security skills as part of ICT qualifications, establishing centres of cyber security excellence in universities and increasing diversity and female participation in cyber security careers.
For individuals, whose actions can be a first line of defence, the focus will be on improving cyber security skills and awareness based on national awareness campaigns that will be developed by governments, businesses, researchers and community groups.
What should Cyber Security Strategy v 3.0 include?
Although the Strategy is a clear compilation of current thinking, the threat keeps evolving, and organisations' need for more guidance and information will keep growing. Two areas we hope will receive even more focus in future versions are corporate governance and supply chains.
The Strategy encourages organisations, both public and private, to elevate the cyber security discussion to management and, where applicable, at the Board level. This is essential to foster a culture of vigilance; indeed, we would argue that it is so essential that it should be mandatory. A future version of the Strategy should address giving directors and officers clear guidance on their liability, best practice, and risk mitigation in more depth.
Until then, public and private organisations should not be complacent. If nothing else, the Panama Papers leak has shown that cyber security and the potential damage that could be done by insiders should be on the board's agenda, as should greater investment in policies that promote sound cyber practices, such as:
- educating employees on securing their workstations and the correct use of both company resources and employee devices (USBs, tablets, phones);
- increasing awareness of methods used by cyber criminals such as spear phishing (socially engineered e-mails sent to employees with attachments that contain malicious code);
- using stronger passwords or introducing the use of passphrases; and
- imposing strict roles and access protocols for sensitive and confidential information to prevent unauthorised disclosure.
Supply chains and procurement policies
With the growth in bilateral and multilateral free trade agreements, offshoring and globalisation, and 24/7 follow the sun business practices, supply chains can stretch across multiple borders and legal regimes. Your organisation cannot only look at the immediate supplier, but must understand each link in the chain, and ensure privacy, data protection, and other legal requirements are safeguarded at every stage.
As a first step, you should be reviewing the arrangements you currently have, but beyond that, procurement policies will need to put cyber security front and centre ‒ and boards will need to understand this and support this. While there could be possible cost implications, they are nothing to the cost (financial and reputational) of a major breach of cyber security.